Method for monitoring a network and network including a monitoring functionality

Abstract

A method for monitoring a network, wherein the network has a connected graph topology, in particular a tree structure, including a plurality of monitoring nodes that collect network measurement data, a plurality of mediator nodes each performing at least the task of aggregating network measurement data received from different monitoring nodes and/or other mediator nodes, and at least one root entity that receives network measurement data and/or aggregated network measurement data from the mediator nodes, is characterized in that the aggregation of network measurement data is performed by condensing network measurement data into a summarized probabilistic data structure. Furthermore, a network including a monitoring functionality is disclosed.

Description

CROSS-REFERENCES TO RELATED APPLICATIONS[0001]This application is a U.S. National Stage of PCT / EP2010 / 005344 filed Aug. 31, 2010 and claiming priority to EP 0901192.3 filed Sep. 1, 2009.BACKGROUND OF THE INVENTION[0002]The present invention relates to a method for monitoring a network, wherein said network has a connected graph topology, in particular a tree structure, including a plurality of monitoring nodes that collect network measurement data, a plurality of mediator nodes each performing at least the task of aggregating network measurement data received from different monitoring nodes and / or other mediator nodes, and at least one root entity that receives network measurement data and / or aggregated network measurement data from said mediator nodes.[0003]Furthermore, the present invention relates to a network including a monitoring functionality, wherein said network has a connected graph topology, in particular a tree structure, including a plurality of monitoring nodes that co...

AI Technical Summary

Benefits of technology

[0016]According to a preferred embodiment it may be provided that the summarized data structures include Bloom Filters and/or sketches, which are two well-known probabilistic data structures being widely deployed. However, other embodiments can accommodate other summarizing data structures as well, as long as the following requirements are fulfilled: First, they have to be linear with respect to aggregation, i.e. the aggregation of the data structures summarizing two sets of events must be equal to an analogous data structure summarizing the union of the two sets of events. Secondly, as already discussed above they have to be non-reversible in order to assure that monitoring and aggregation of detailed data is performed in a privacy preserving manner. Further to these two requirements it is favorable with respect to an efficient aggregation process that the data structures have a low memory footprint and query time, i.e. that they are independent on the number of logged keys. Finally, the data structures should avoid the occurrence of false negatives, while the occurrence of false positives is basically allowed. The impact of false positives can be evaluated on a case-by-case basis. Depending on the application, a proper combination of probabilistic data structures can be used. As an example, a report of measurement data may be composed of a sketch as well as a Bloom Filter.

[0017]With respect to an effective backtracking process it may be provided that each mediator node caches a local copy of the summarized data structure it has generated.

[0018]For detecting anomalous network behavior it may be provided that each mediator node performs a pattern check on its summarized data structure. More specifically, the mediator nodes are configured to check their aggregated summaries for any anomalous pattern, with the definition of an anomalous pattern depending directly on the monitoring application and/or on the adopted data structure. Examples of anomalous patterns may be the evidence that an event counter associated to a user (or a set of users) has exceeded a giv

Problems solved by technology

Unfortunately, monitoring traffic in real-time and in a distributed way presents a range of difficult issues.

The first of these is scalability: the volume of traffic to be monitored is rapidly growing, with reports stating that the annual global IP traffic volume will exceed half a zettabyte (5×1020 bytes) by 2012 and will nearly double every two years (see for reference “Approaching the zettabyte era”; this growth puts serious stress on any monitoring infrastructure that tries to centralize the collection of data.

Another issue is privacy, since any monitoring architecture should ensure that it can accomplish its intended purpose without infringing on end-users' privacy.

Further, several applications (e.g., law enforcement, security incident reporting, etc) have the need to backtrack to the originating monitoring probe in order to retrieve more detailed information, a requirement that could not be met by a simple scheme that exports only summarized information to achieve scalability and privacy-preservation.

While some solutions in the area exist,

Images